Health care industry grapples with security

Concerned with security and privacy issues, many hospitals are researching new uses for information technology, such as smart cards and public-key infrastructure (PKI) security devices, to build a chain of trust into the entire health care process, experts say.

News that a Dutch hacker penetrated the patient record system at the University of Washington Medical Center in Seattle highlights the unique security challenges faced by the health care industry, say experts.

Although the hacker, who goes by the name of “Kane,” is reported to have absconded with 5,000 patient records, the hack may have been much more damaging, according to James Garvie, deputy director for information resources at the Indian Health Service, an agency within the U.S. Department of Health and Human Services. The nature of hospital patient records, said Garvie, who spoke this week at the Defending Cyberspace 2000 conference in Washington, is such that hackers also walk away with a lot of personal information on the patient’s family members.

“There don’t appear to be boundaries,” said Garvie. “The attitude today in medicine is that only with complete information can we provide effective care.” The result is that records for individual patients often contain vast amounts of personal data on relatives taken from records at other hospitals and treatment centers. The average medical record, say experts, contains more than 50,000 data elements.

The size, shape and complexity of the health care industry is such that any security scheme will have to address a wide range of factors, said John Lynch, CEO of WorldeTrust, a Cheshire, Conn.-based firm specializing in PKI solutions for hospitals.

“A typical hospital might have 20 different systems,” he said. “A typical physician might have five different offices,” he added, and may use any one of 200 different computers in a hospital, all of which may serve another 200 staff members. And “perhaps more than any other industry, hospitals have legacy systems.”

Lynch’s firm has been involved in providing PKI-enabled smart cards to at least 20 hospitals in Connecticut so far. Those hospitals are beginning to use the technology to build secure Web applications and e-mail to provide single sign-on and roving identity capabilities for doctors who work at multiple hospitals and also to create virtual private networks for doctors to review patient records securely from their homes or offices.

But it goes even deeper than that, said Lynch, who contends it is necessary to “establish a chain of trust for health care.” So some hospitals in Connecticut are using smart cards to put registration authorities in their human resources departments, where they can establish PKI-enabled employee identifications. When an employee is no longer employed by the hospital, his digital identification is no longer recognized by the hospital’s systems, said Lynch.

Likewise, some hospitals are building digital identities for their doctors. Using PKI-enabled smart cards, for example, hospitals can create these IDs for all doctors certified to work in the hospital. The cards can also contain job-based privileges for different staff members and include access privileges to the hospital facility itself, he said.

But in the near future, the patient will also be part of the digital care process, said William York, the program manager with Litton PRC who manages the Government Computer-based Patient Record framework project. GCPR is an effort by the Department of Defense, Indian Health Affairs and the Department of Veterans Affairs to create a master digital index of 18 million patient records from dozens of systems that use different standards and formats.

“Moving information along with the patient is a real problem,” said York, adding that the Health Insurance Portability and Accountability Act of 1996 allows hospitals the choice of employing between 700 and 800 different data standards to share information. “We have standards,” said York, “… about 700 to 800 of them.”

“We’ve done very well with [the challenge of identifying] who is asking [the questions],” said York, referring to the process of standardizing and securing the digital processes that doctors use. “We just don’t know who the patient is,” he said. “The smart card may be the answer in the long term.”